Hi,
I have a remote control for locking and unlocking car doors which transmits on the 433MHz band. I bought a cheap 433MHz rf link (actually I bought three different) on ebay, so I could have a look and feel on how I can possibly make a car lock/unlock hack in the future.

I hook up +5v and ground to the receiver and connects my oscilloscope probe to the data pin (one of the to, they're connected together). I then see a lot of noise. Compared to the output of my car remote, I don't see how it will ever be possible to decode anything with all this noise?

In the picture below, yellow waveform is the rf noise on the data pin of the rf receiver, the blue waveform is data out on the encoder chip inside car remote. As you can see, the waveforms share the same timebase time/div (is it possible to have individual?) so how is it possible to ever read anything off of this? Please help me clarify the question if you do not understand it.

I'm sitting in my lab, and as far as I know there is no other appliances or similar using this frequency band except maybe the remote light switch thing, but I removed it's batteries just to be sure.

Just figured something out. I took the output pin from the encoder chip on the remote and fed it to my transmitter bought on ebay. Bingo! The waveforms matches up beautifully. It seams that this noise I'm seeing only appears when no apparent 433MHz device is brodcasting, and after a HIGH pulse on the receiver, the receiver waits ~40ms until the noise re-appears. So with a pulse train of normal pulse widths this will be no problem.

And by the way, the car remote was not 433MHz after all. Don't know where I got it from, I bought them a long time ago.

Is there any easy way to determine the frquency used by my remote? Doesn't really matter though, just interested. You see, this new TI Chronos development kit (a watch) I ordered with the 433MHz option (hoping this will open my car doors some day), so whatever frequency the car remote is, I must hack myself in with the devices from ebay.

^Points out to iONic that RKE systems cannot be tapped due to how they work.

Click to expand...

RKE?

I know some systems use "rolling code" feature for making them more difficult to tap. While I understand the basic principle, I do not know exactly what they do. I used to sell systems like this, universal ones imported from China, so that's why I have many laying around.

I also know that more sophisticated systems uses transceivers in both car and remote, and in that way implements some sort of 2 way communication protocol.

I know some systems use "rolling code" feature for making them more difficult to tap. While I understand the basic principle, I do not know exactly what they do. I used to sell systems like this, universal ones imported from China, so that's why I have many laying around.

I also know that more sophisticated systems uses transceivers in both car and remote, and in that way implements some sort of 2 way communication protocol.

Click to expand...

Remote keyless entry.

Most cars use the rolling code system, they depend on the specific sequence of codes, and not any one in particular. In theory, if you record enough codes, you can figure out the secret key. But by then it might be easier just to steal the key.